CVE-2022-30414

Vulnerability

Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL injection in the /ctpms/admin/?page=applications/view_application&id= endpoint. The id parameter is not sanitized, allowing attackers to inject SQL payloads. The vulnerability exists in the version distributed by oretnom23, as referenced in the vendor source code [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint with a malicious id parameter. No authentication is required, as the endpoint is accessible without a session, although a valid session may be needed for some paths. The reference payload 1%27%20and%20length(database())%20=8--+ demonstrates boolean-based blind SQL injection that leaks the database name length based on response content length differences [1]. The attacker can automate extraction of data by observing these differences.

Impact

Successful exploitation allows an attacker to extract sensitive information from the underlying MySQL database, including credentials, travel pass records, and other application data. The impact is information disclosure, leading to potential escalation or data breaches.

Mitigation

No official patch has been released as of the publication date (2022-05-13). The vendor has not addressed the vulnerability, and the application may be unmaintained. Users should immediately remove the application from public-facing networks or implement a web application firewall (WAF) rule to block SQL injection patterns in the id parameter. There is no known inclusion in CISA's KEV catalog at this time.